Sunday 22 November 2009

Quickpost: SelectMyParent or Playing With the Windows Process Tree

I read something very interesting in “Windows via C/C++” today: starting with Windows Vista, CreateProcess can start a program where you specify the parent process! This is something forensic investigators must be aware of when they analyse processes running on a Windows machine.

Normally the parent process of a new process is the process that created the new process (via CreateProcess). But when using STARTUPINFOEX with the right LPPROC_THREAD_ATTRIBUTE_LIST to create a process, you can arbitrarely specify the parent process, provided you have the rights (i.e. it’s your process or you have debug rights).

I developed a small tool to start a program while specifying its parent process: SelectMyParent. Here I use it to start notepad as a child of lsass.exe:

2 remarks about this example:

to make lsass.exe a parent process, you need to use SelectMyParent with admin rights and elevate its rights (Run as administrator)

I don’t know how one can detect that a process’ parent is not the process that created it, because a process has no access to its extended startup info (only to its startup info). And it is the extended startup info that contains the attribute list with the handle to the parent process.

Like this:

Related

I’d like to expand on my questions that I asked via Twitter. Those being:
1. Are you able to move a currently running process under another one?
2. Are there any privileges applied to the parent/child relationship of processes?

You said that a child access the “inheritable handles”. I don’t know what exactly ‘handles’ are, but if you were able to migrate a running process under one that you created you might get some interesting permissions to it. Or say, Process A has handles H that Process B uses, if you were some how to hijack Process B or put yourself in between process A and process B, you might be able to alter the state of those handles.

But getting back to the ability of your app, for software that starts an “update” process, there might be some inheritable handles that you could get a hold of by impersonating the update process that it starts since most coders wont think about the security of child processes… yet.

This has always been the case on NT, actually. The underlying system call has always allowed you to specify an inherit from process handle (provided you have PROCESS_CREATE_PROCESS access to said processs — a sensitive access level).

It just so happens that the Win32 wrapper typically always uses the creator’s process handle as the inherit from process handle.

The link between a creator process and a ‘child’ process has always been extremely tenuous in NT.

Yes, that’s correct. Someone could have just as easily thunked down to the raw system call however and bypassed CreateProcess, so this is something that has required handling from the get-go and not just on Vista or later. It’s entirely possible to do exactly the same thing on earlier systems, and

Note that there is no security implication here as privileged access (PROCESS_CREATE_PROCESS) to a process is required to inherit from it. This access right is typically only given to the object owner, system, and administrators.